Total CVEs

140,315

Critical Severity

3,712

High Severity

13,361

Last 7 Days

1,805
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 6,561 - 6,580 of 36,720 CVEs
CVE-2026-36604 MEDIUM - 6.5

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability (Access-Control-Allow-Origin: *) to int...

Published: Jun 03, 2026
Source: NVD
CVE-2026-36603 HIGH - 8.1

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 exposes 15 of 18 UPnP IGD actions without authentication on port 1900, including AddPortMapping and GetExternalIPAddress. UPnP is enabled by default through the admin interface, allowing any unauthenticated LAN device to create arbitrar...

Published: Jun 03, 2026
Source: NVD
CVE-2026-36602 MEDIUM - 4.3

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 discloses kernel memory layout via the UPnP GetStatusInfo action. An unauthenticated attacker on the adjacent network can obtain a raw MIPS KSEG0 kernel pointer, revealing kernel memory layout and aiding further exploitation.

Published: Jun 03, 2026
Source: NVD
CVE-2026-36460 MEDIUM - 4.8

Dovestones Softwares ADPhonebook before v4.0.1.1 is vulnerable to a Cross Site Scripting vulnerability. The /Admin/Save API allows an authenticated admin user to store malicious JavaScript payloads in multiple configuration sections without proper input validation or output encoding.

Published: Jun 03, 2026
Source: NVD
CVE-2026-20233 MEDIUM - 6.1

A vulnerability in the web-based user interface of Cisco Webex Meetings could have allowed an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack. Cisco has addressed this vulnerability in the Webex Meetings service, and no customer action is needed. This vulnerability...

Vendor: Cisco
Product: Cisco Webex Meetings
Published: Jun 03, 2026
Source: NVD
CVE-2026-20230 HIGH - 8.6

A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device. This vulnerab...

Vendor: Cisco
Product: Cisco Unified Communications Manager
Published: Jun 03, 2026
Source: NVD
CVE-2026-20175 MEDIUM - 6.1

A vulnerability in Cisco Finesse could allow an unauthenticated, remote attacker to load arbitrary files from remote locations into an active user session on an affected device, possibly leading to browser-based attacks. This vulnerability is due to insufficient validation of user-supplied input ...

Vendor: Cisco
Product: Cisco Finesse
Published: Jun 03, 2026
Source: NVD
CVE-2025-71314 MEDIUM - 5.5

In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Recover from panthor_gpu_flush_caches() failures We have seen a few cases where the whole memory subsystem is blocked and flush operations never complete. When that happens, we want to: - schedule a reset, so we can ...

Vendor: Linux
Product: Linux
Published: Jun 03, 2026
Source: NVD
CVE-2025-71313 MEDIUM - 5.5

In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Add missing NULL check for alloc_workqueue() alloc_workqueue() can return NULL on memory allocation failure. Without proper error checking, this may lead to a NULL pointer dereference when queue_work() is later call...

Vendor: Linux
Product: Linux
Published: Jun 03, 2026
Source: NVD
CVE-2019-25720 MEDIUM - 6.5

Dräger SC Monitoring devices (SC 6002XL, SC 6802XL, SC 7000, SC 8000, SC 9000 XL) contain a denial-of-service vulnerability in all software versions that allows unauthenticated attackers to reboot the monitor by sending a malformed network packet. Attackers can repeatedly send such malformed packets...

Vendor: Dräger
Product: SC 6002XL, SC6802XL, SC 7000, SC8000, SC90000 XL
Published: Jun 03, 2026
Source: NVD
CVE-2026-6657 MEDIUM - 6.1

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration is used. The issue arises from the use of `re.match()` for validating the `Origin` header, which only anchors at the start of the string. Thi...

Published: Jun 03, 2026
Source: NVD
CVE-2026-44281

GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, an authenticated user with config READ permission can read a specific asset object. Upgrade to 11.0.7 or 10.0.25 to receive a patch.

Vendor: glpi-project
Product: glpi
Published: Jun 03, 2026
Source: NVD
CVE-2026-42321

GLPI is a free asset and IT management software package. Starting in version 10.0.4 and prior to version 10.0.25, a technician can store an XSS payload in the asset locked tab. Upgrade to 10.0.25 or 11.0.7 to receive a patch.

Vendor: glpi-project
Product: glpi
Published: Jun 03, 2026
Source: NVD
CVE-2026-42320

GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 10.0.25 and 11.0.7, a technician can read arbitrary files inside the GLPI_DOC_DIR. Upgrade to 10.0.25 or 11.0.7 to receive a patch.

Vendor: glpi-project
Product: glpi
Published: Jun 03, 2026
Source: NVD
CVE-2026-42318

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 10.0.25 and 11.0.7, low privilege users with access to planning can delete any object in GLPI. Upgrade to 11.0.7 or 10.0.25 to receive a patch. As a workaround, disable delete rights for User...

Vendor: glpi-project
Product: glpi
Published: Jun 03, 2026
Source: NVD
CVE-2026-42317

GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete arbitrary files from the filesystem as long as the webserver has write rights on them. Upgrade to 10.0.25 or 11.0.7 to receive a patch.

Vendor: glpi-project
Product: glpi
Published: Jun 03, 2026
Source: NVD
CVE-2026-3276

unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.

Published: Jun 03, 2026
Source: NVD
CVE-2026-37462 HIGH - 7.3

An integer underflow in the BGPUpdate.DecodeFromBytes function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.

Published: Jun 03, 2026
Source: NVD
CVE-2026-36748 CRITICAL - 9.0

RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting (XSS) via Social Media links in user profile.

Published: Jun 03, 2026
Source: NVD
CVE-2026-36576 CRITICAL - 9.8

An OS command injection vulnerability in the app.py component of openlabs docker-wkhtmltopdf-aas up to commit 9f50579 allows attackers to execute arbitrary commands via a crafted POST request.

Published: Jun 03, 2026
Source: NVD